Re: network (intranet?) privacy help Q...

If I *really* (and I mean I'd have to really be inclined on a slow day), I could sniff the traffic from your machine and still get whatever I wanted. The anonymizer might not leave a trace on your system, but the traffic has to go out one way or another.

As someone else pointed out, you could look into PGP. It's not something I've worked with.

If I were you, I'd work on negotiations and job offers at home.

My opinion is that while you're at work on the company's time, don't do anything you wouldn't want the company to know about. Now, on your own time on your own computer is a different story. Basically, I wouldn't give a rat's ass what you did, again as long as you don't go creating work for me. Actually, if I were in a position to create such a policy and enforce it, I wouldn't even let people bring in their own machines for the following reasons. 1) They're likely to fuss when I need to update or install something on their machine that is necessary to protect other network resources, 2) You never know what they have on their machines when they bring them in and plug them into their network. At that point, you can forget about your firewall because someone just went around it.

todd

Answers contained within -

No, an anonymizer probably will not thwart the admin.

Probably.

Maybe. Wireless privacy/security is still not as good as other forms of networking. There are several forms of encryption that help from the laptop to the wireless access point. One of these is DES3, but it takes quite a bit of overhead since each packet has to be encrypted/decrypted three times. A packet will be encryped by the drivers on your laptop and then the packet will be sent to the wireless access point. The access point will then decrypt the packet and send it on the network normally. One more thing, it will be the access point that determines what encryption is available. The network engineers will set the configuration in the access point to provide (or not) encryption, and what type of encryption. It could also define the encryption keys that would be required, etc. If you would be using a school wireless network, I would assume that you would have to be given very specific instructions on just how to configure the drivers on your laptop. You would not be able to just set any parameters that you wanted.

Does the school require your laptop to join the schools NT domain? If so, you may not have the leverage on your own laptop that you think you do. The schools domain controller could push security policies to your machine and pretty much lock it down as long as it is connected to the domain. What email system will you be using in the classroom? I would assume that these job offers and negotiations will not be via the schools email servers because if they are, you have no privacy from the admins. Period. An email administrator could login to the server and look at anything. A network engineer could connect a network analyzer to the network and see any data packets that were going into, and out of your computer. Encryption would help in this case, but if I were really concerned about privacy I would not be looking at them from the school net.

I posted another response talking about network usage policy. To make a long story short, if the school does have a policy it could state that by using the school network you agree to let the admins monitor your computer (among other things). Ask for a copy.

Wayne

Quite the opposite, it's a red-flag to say "This guy is trying to pull something, keep an eye on him".

I could swear I answered that, maybe you missed it.

Yes, they are orders of magnatude less secure. And it still goes through your employer's network.

You want to use your _work_ account, not only to conduct personal business, but to look for another job? Sounds like a good way to _need_ another job. 10 bucks a month gets you a dialup account.

It's their network, their bandwidth, and if you're in the US, it has long been found to be within their rights. They can listen in on your personal phone calls too, by the way. Don't like it? Don't do it, or get the law changed.

"dishonest" implies that they hide it, which they clearly do not, or your question wouldn't have been asked in the first place.

Their network, their rules. Don't like it? Don't use it.

I'm not concerned about raising his suspicions, I care only if he can do something about them.

Not in this thread...[I just checked, you did mention PGP in the other thread, but I don't think I'd read it before responding in this thread]

I'm not looking for another job, but I receive offers on a regular basis, and prefer to keep those conversations private. Do I hesitate to use a _work_ account for private business? Not usually, as long as it doesn't interefere with my work. Remember, teaching is not a 9-5 job. Most of my evenings are taken up with school work of one kind or another. And at private schools you must often give up evenings and weekends. We're entitled to some leeway. Standard business practices differ for obvious reasons.

Phone calls are still normally protected by law, unless the employee gives consent. And the fact that they own property you use does not give them absolute rights beyond that property. My intellectual property is also involved, and court decisions constantly undulate between those shared property rights. But I understand your pragmatic approach, and appreciate the advice.

I feel for the worker who has to give in to a Big Brother type corp. and give up so many privileges. I am not in that position. I am coveted, as far as school administrators go, and can make reasonable demands, but network admins are another ballgame altogether, I'm just trying to protect my privacy from *them*.

I have yet to feel hindered by the law in this regard, but if I have to work to see a law changed it won't be the first time.

Dishonesty does not, by necessity, imply hiding in the sense you use it here--at least in any of the standard philosophical tracts on ethics I've read. Although I suppose you could argue that an institution of the liberal arts that does not extend minimal privilege and trust to its teachers is "hiding" a pusillanimous suspicion, if they do not openly admit it. (I don't think that's what you meant.). Clearly, hiding is not a necessity for dishonesty: think how many immoral and illegals acts you are capable of--in fact many have done--being perfectly straightforward and open.

Dishonesty here is simply duplicity, pretending to be a humane institution while neglecting something like a "do unto others" standard. Privacy is a good thing: if you expect it, you'd better give it. School administrators understand that when I tell them, but network admins are given extraordinary power in having access to normally private information. I want to ensure that they don't misuse it on me.

Your caveat is well taken. But it is no more *their* network than it is mine. And who guards the guardians?

H.

On 1 Aug 2004 21:36:58 -0700, snipped-for-privacy@sewanee.edu (Hylourgos) vaguely proposed a theory ......and in reply I say!:

remove ns from my header address to reply via email

On their network, and email connection, they have the right to _do_ anything they want regarding your usage. You then have the right to fight that in arbitration, court or whatever.

"Honest, yer Honour! I only drive on the wrong side of the road when there's no other traffic!"

You talk of honesty, and yet you are hungrily asking for ways to secretly circumvent their finding out about what you do as their representative, on their equipt, and probably in their time on their pay to you. You begin to sound like exactly the sort of trouble they are hunting for.

In an organisation, if you are using their gear, you _are_ their rep, both internally and externally. If you surf around and are IDd in any way, it will probably be under their banner. They care about that. If you bring stuff back with you that compromises their system in any way, they have a right to do something about that.

In many organisations with serious, large networks and big reps or sensitive data, they simply will not allow anything except approved address, non-encrypted attachments and messages etc.

While you can swear black is blue you will not be "dishonest", the same cannot be said for everybody (believe me!) and there is always the chance that you will make a mistake. There is no way they know what is what without putting out blanket policies.

If you are concerned that your applications for other jobs will be used against you unfairly, then face up to the people concerned about it. If you are simply trying to hide your activities, then it's your problem. Leave the applications at home.

***************************************************** It's not the milk and honey we hate. It's having it rammed down our throats.

Depending on the policies in place he can block the anonymizer, pull your account, or tell the Powers That Be to fire your ass.

Encryption is usable, but only if you're emailing to others who use encryption and have given you their public keys.

Then don't give out your work email address to prospective employers.

And it's my experience that nobody sends out unsolicited job offers without at least a phone interview first.

Are you or are you not the school administrator? If you are then you should outrank the network administrators.

If you care who is guarding the guardians then don't use the network for anything that you don't want the guardians to see. That's the bottom line. Given that you can get a computer perfectly adequate for checking your email for 20 bucks and if you have the right long distance provider get a free dial-up account from which to access it there's no reason to be using the company mail for sensitive correspondence.

Sure. Depending on which SSL encryption is used, he could grab the encrypted response, brute-force it, and have a decryption of enough of the traffic to be a problem in minutes, hours, or days. Also, this could be seen as "intentionally bypassing IT security", which is probably fireable anywhere. Certainly wouldn't look good on your review to be caught at something like this. Also, some of the anonymizers pass the URL info in the clear in the URL line, there it's simply a matter of them re-asking for the same thing to see where you were going. Further, if there is a proxy server at your school (as there most likely is), content of the proxy server can be cached for everyone, or for just people they chose to watch. All these things _can_ be done, but obviously I have no idea of _if_ they're being done where you are.

Nope, I didn't mention PGP. I said that if you're using a webmail that's https:// they will see you're going to a webmail server, but not be able to read the traffic without getting creative. If you're using a webmail that connects with https://, you might as well print everything and leave it laying on your desk, because it's that trivial to read.

Both of my parents being teachers, I'm aware of that.

You should find out what your school's acceptable internet usage policy is. Then, you can decide if and how you choose to violate it. Maybe they really don't care as long as you don't, as another admin put it, make more work for them. Over the years, I've run into a few "problem users", the ones who noise up my network, or are continually trying to find ways around the security I have built. For most of 'em, a "Hey, stop doing (thing) please, because it makes my monitoring stuff go nuts, OK?" was sufficient. But, I've also had the boss's boss call me into his office for the "We need to know what (person) is doing, web, email, everything" chat, and (person) was soon no longer working there.

For 10 bucks, you can bypass the whole thing by getting a home internet account. Heck, you may be able to use it _from_ work by dialing out on an outside line right from your classroom.

Check your employment agreeemnt, you may have done so.

Maybe dialup from the classroom is the answer.

From my perspective, it's not about "Big Brother", it's about keeping crap from getting into the network. Obviously a Mac presents exactly zero threat of virus, trojan, or other infestation, so that's not a problem. However, I'm also responsible when the "network is slow" so I have to keep an eye on it to make sure people aren't watching streaming video from whatever sports site on bandwidth that isn't cheap, and so on.

Ethically, if they're snooping and don't have a damn good, work-related reason for it, they can and should be fired. You don't read a user's email just because you can, you don't snoop their traffic just because you want to get dirt on 'em. But, if it's "Wow, that port is taking a whole shitload of traffic, what kind of traffic is it", then it's certainly reasonable to expect that if it attracts attention, it might get investigated.

This is where I'm going to excuse myself from the conversation, because (a) I really don't care, and (b) can't be bothered. The situation is what it is, and that's what you need to either decide to live with, or circumvent, the conditions that exist.

Well, any admin who abuses their access should, and will, get fired. Employers, right now, have the right to order them to do so, and I don't see that changing any time soon.

An anonymizer prevents your personal information from going to a remote web-server. It does -nothing- as far as concealing what you are doing from someone with the ability to watch the local network traffic.

Well, maybe you _better_ hesitate.

All email to a work account is the property of the *employer*. They can read it, filter it, store it (permanently!), etc. *without* so much as a 'by your leave'. This has been litigated, more than once, And the law _is_ clear.

If the school in question is a public school, _any_ of your emails are subject to a FOIA demand.

If it's a private institution, they can still be compelled to produce any/all such mail, as part of 'discovery' in a legal action.

The "generally accepted standard" for email is: 'don't put in email anything you wouldn't put on a postcard.'

Encryption for email works. Unfortunately, it works *only* between those parties -- *both*ends* -- who have made advance arrangements to use it.

It's *USELESS* if one party doesn't have the appropriate tools/facilities.

NOT TRUE! I've been in discussions on that *very* point in an actual legal discussion group -- where I held the opinion that the employee _did_ have to give consent, and had the contrary facts (complete with case cites) rammed down my throat.

In the U.S., phone calls _at_work_, on work phones, are *NOT* protected to any significant extent against listening in _by_the_employer_, or a 'agent' of the employer. A pay phone, that happens to be located at the place of employment, is a different matter.

You are spouting bullsh*t.

The network, the equipment used to connect to the outside world, etc. are *their* property. THEY pay for it.

They have the absolute right to dictate how, and for what purposes their employees may use _their_ resources.

Your 'intellectual property' gives you *NOTHING* with regard to the use of _their_ facilities.

You have *no* "rights" to their equipment/property. In fact, there are

*no* "rights" on the Internet, _none_whatsoever_. The only thing that exists is 'privileges'. Either extended as a courtesy, or as part of a contractual agreement.

Doing that is *really* simple. *DON'T*DO*ANYTHING* you don't want them to see, _from_their_network_. End of story.

The law says "their property, their rules." Trust me, you _don't_ want to see that changed.

[[.. munch ..]]

Then *don't* use the network. That _will_ ENSURE* that there is no potential for mis-use.

Ignoramus.

Who owns the in-building network wiring? Who owns the in-building networking equipment? Who pays for the connection to the outside world?

Yes, it *IS* 'their' network. They being the company/school/etc. And the admins are the 'delegated agent' of the owners..

If the owners trust those admins to do the job the way the owners want it done, then _your_ opinion simply doesn't count/matter.

If you don't like it. don't use _their_ network.

'Who guards the guardians?' is not *your* concern. It matters only to those who are the employers of the guardians, and the owners of that which they are employed to guard.

Don't like it? Tough. Welcome to the 'real world'.

I agree with the response above. If you think about it, there isn't any significant difference between a data network and a voice network. They are both just pipes for information. It's just that one is usually digital data and the other is analog data. OK, before any flaming responses I am just trying to make a point. I am aware of digital PBX's and VOIP, etc. I am just pointing out that it doesn't really matter if the data originates in your pc or in your mouth.

I was involved in one such case where my employer wanted to record all of an employees telephone calls and wanted to capture all data traffic to/from his pc. It was all legal and the network and telephone policy statements said so. We did not have the facility to record all voice conversations, but we did monitor his pc traffic and had all of his email and other files going back for a number of years.

If you are using company (school?) resources, they can do practically anything.

Wayne

A legal right? No, that is not correct.

Sorry, you are mistaking me for Kunta Kinte. I, on the other hand, am a freeborn American. What have I indicated I would do that seems dishonest to you? You write as if you are quite sure on this, so I'm curious what you have in mind....

Yes, this is a good point (although I would not say that using their gear--which is not entirely my case, as already explained--is a prerequisite to the concerns you mention).

Again, good points to consider.

You did not read carefully: I have no applications out.

Thanks for the thoughts, H

I don't. But it's not hard to find, and I'm listed in several professional indices. They contact me based on reputation, they know where I work, it's not exactly rocket science to get my e-mail addy.

That is clearly not my experience.

I think I made this clear already. Re-read the post if you need to.

Would I outrank a network admin? Who knows. Generally, my impression is that most school administrators value a decent network admin. more than a decent teacher. But a great teacher vs a mediocre network admin? Then it's more dicey, the latter ought to watch his step around the former.

Thanks for your comments, H.

Should one of those (the latter?) read http:// ?

I don't really want to subvert any well-intended security that our network has built for the purpose of protecting the network. I don't think I've ever done anything that remotely threatened the security of a network I've used. I just want to protect my own privacy.

Since I'm new at this school, I'm not really sure what the network admin is like, but I'll be sure to try to get to know him--that won't hurt regardless his snooping habits. In the meantime, I'd like to know just what and how well I can protect myself. You have answered that to my satisfaction, even though the answer was not optimistic.

I could do that, but I hate modem connections. I'll just wait until I get home to do anything that even hints of unapproved activity. Even Caesar's computer must be above suspicion nowadays, it seems.

I have not. I have in the past excised that clause from the terms of my contract.

Yes, there's always the other perspective, which has concerns just as valid as mine. I want my school's network admin to be vigilant, just as you must be. But I don't know how to protect myself should he be just as vigilant about snooping into my private affairs. Seems there's little I can do about it at this point in time.

You enjoin me to accept things as they are below, and I must return the favor at this point. You're right, of course, in the first sentence above. The problem is that very few administrators have the ability or inclination to discover a networker's transgression. Regarding the second sentence, you must have a bright outlook on human nature if you believe that. Me, I'm a Federalist 10/Duc de LaRochefoucault kind of guy.

Right, and it get tricky here, ethically and legally. A networker has such wide-ranging power and the to abuse that power in virtual privacy. Compare him to a police officer and search warrants, and you'll get what I mean.

But as you observe, that's how it is.

Ah, but you do care, you have been bothered, and thank you for the insights.

Should? Yes. Will? Rarely. Fewer than 1 in 1000 abusers get nailed on this one, I would venture to bet.

"so" being "to get fired"? (sorry, I'm not sure what you meant here)

Thanks again, I shall take your advice. H

Robert,

You have delivered quite the indignant tirade, which I hope indicates that this topic has touched some nerve in you originating outside this thread. Otherwise, all the puffery seems out of place....

The fact that such litigation continues at an increasing pace should be evidence to you that the law has not settled on this score. Your blanket statements here amount to little, and they ignore contract law. My contract, about which you know nothing, does not allow my employers to circumvent my privacy or the integrity of my intellectual property, including phone and digital communications.

A good point.

They can be ordered to do so, they cannot be compelled, not really, or at least not easily.

Wow, a legal discussion group, eh?--and an actual one at that. Not sure I'd brag about that as an authority, but you go girl.

And despite my inner rational person warning me not to, I'll bite: cite the cases, we'll see if I can trump them (BTW, that's how it's done in the real [legal] world).

That phrase "significant extent" is rather leading. Just what is the "extent" as you and your group understand it? And I hate to intrude on the authority of a legal discussion group, but do you think contract law might affect such rights?

Ah, yes. Please tell me that you have a law degree, and that your practice specializes in communications or privacy law. Otherwise, well, I guess we'll know who's spouting what....

I will disclose that I am not a lawyer. My legal experience, however, is probably enough in a few areas to know if someone else knows what he's talking about.

The alarms are ringing.

You noted above a distinction between public and private, I'll return the favor: who exactly owns a public school?

A) School administrators B) Networkers C) Some NGer spouting BS on the web D) Taxpayers/citizens

If you gave the correct answer, D, then you are now free to understand that public school policy on such matters is susceptible to the pressures of the owners. That's me. And you. And many others. Not THEY. WE. Welcome.

For someone with the experience of a legal discussion group, you bandy the term "absolute" cavalierly. I would say, on the contrary, that you are absolutely wrong about their absolute rights. Ownership in very few things grants absolute rights over usufruct or other competing property rights.

Ah, back to the spouting.... And your source for this belief about intellectual property rights? (No doubt you, or better yet your discussion group, specialize in intellectual property rights, and this area of the law is to you also "clear".)

OK, I have a short quiz for you: I have a copyrighted document--or even, say, a copyrighted song--that is, illegally I say, disseminated on their network. Do they have the right to ignore my complaint? Do I have NO legal recourse with regard to the use of their facilities?

Think twice....

Assuming, as I know you must be, that said property is not public and I am not a citizen. Right?

??????? Is this a riddle?

Hmm...perhaps not, but I'd have to know more about who the "they" is (of "their").

Sort of makes for a more interesting connundrum when you realize that we, not they, own all that stuff in a public school, doesn't it?

...also makes for an interesting reconsideration of the word "ignoramus".

Let's just say I'm glad you don't get to decide this.

Then let's also say I'm glad that you are not representative of the "real world", only one small insignificant legal discussion group.

BTW, what was that, 1L, Parumph community college, what?

Public ownershiply yours, H

That's the way I see it.

Change that first "and" to a "because", and make the statement inclusive of an agreement and you're right, of course.

...which is why I exised that part out of a recent employee contract during negotiations.

No, they can't not without your permission.

H, ...beginning to wonder if anyone here doesn't talk groupspeak.

If you're the school administrator you damned well _better_ know who your subordinates are.

What does "value" have to do with chain of command?

Why? Are network administrators subordinate to teachers but not to school administrators or something?

Since you already know all the answers, why did you ask the question?

On 3 Aug 2004 17:12:04 -0700, snipped-for-privacy@sewanee.edu (Hylourgos) vaguely proposed a theory ......and in reply I say!:

remove ns from my header address to reply via email

OK. So try it and challenge them!

Sounds a bit rude. Who?

and what?....

You are trying to ways to secretly circumvent their finding out about what you do as their representative, on their equipt, and probably in their time on their pay to you.

YOU read carefully. Where did I say you had any applications?

Bye. You have heard a lot. As I said in another post, I am glad to see you extracted the right attitude from it all.

***************************************************** It's not the milk and honey we hate. It's having it rammed down our throats.

Thanks. Now get clear on the concept of who owns the network and how they could fire you for misusing it, and you'll be fine.

Yes.

But if they see you using an anonymizer, or ssh tunneling, or whatever, they may _feel_ it is being used to bypass what they have put in place, and that would be accurate. IF they wanted to, they could present it any way they chose. These aren't the sort of things that by themselves are likely to be a problem, but if someone gets an attitude and wants to "find something" on you, it gives 'em an easy target.

Buy him food and/or drink. Never hurts.

Yup.

Your respones here are not consistant with your responses to Nick.

There are plenty enough examples of people in my position being fired and/or sued for violating the trust that our job entitles that even those who aren't all that honest, are still very likely not to "go there".

OK, I'm sure that would mean alot to someone who knows who that is. Me, I'm the "jaded and cynical" type.

Not at all. Once it starts impacting the hardware my boss pays me to keep from falling over and catching fire, it becomes my business. No fuzzy line, no gray areas, it's "What the hell is happening at IP address xxx.xxx.xxx.xxx that's saturating my switch". At that point, troubleshooting continues until the cause is identified. Like I said, in the past I've done the "Er, hi, please stop doing (thing) because it's making my monitoring stuff get all excited and paging me". Almost always that's been a self-correcting problem, I tell the person it's been noticed and that I know what he's doing (streaming media seems to be a favorite), and that I'd like it to stop. If it did continue, I'd get his streaming media player removed from his system or block the traffic at the switchgear, if he went around that, _then_ we start escalating it to managers. As per policy. No BigBrother about it, it's a clear case of Joe User going around what has been put in place to keep the network healthy.

If a cop breaks into your house without a warrant, they are also doing something not only illegal, but possibly fatal. Not sure how that relates to you putting traffic on my network that isn't supposed to be there.

Oh, damn.

No, what I'm saying is I don't care to get into the whole philosophical side of this, other than "tough, that's the situation, live with it or work to get it changed, but don't go around it or my counterpart is very likely to stop you".

I'm in the field, and you clearly are not. I have direct personal knowledge of two admins who were found doing this, and both of them were fired. Yes, limited sample size and all that, but it's _just_ _not_ _done_. When it's done, it's not tolerated.

"to do so" being "to monitor everything you do online". Again, caselaw has established this.

Actually, Robert is speaking the truth and you don't like the answers. Your tone is amazingly inconsistant from one message to another, and makes me wonder why I'm bothering.